PageUp Breach: 'No Specific Evidence' of Data Exfiltration

Australian human resources software developer PageUp says it has found "no specific evidence" that attackers removed data after the company warned in May that it had been breached. But investigators have found that attackers installed all of the tools they would have needed to exfiltrate data.

PageUp's breach update, posted on its website, closes the loop on what has proved to be a lengthy and challenging investigation into the incident, which the company discovered on May 23.

The company's conclusion, reached nearly six months after it learned it had been hacked, demonstrates how long it can take a company to thoroughly investigate a breach, as well as the backlash that companies may endure as investigators scramble to uncover facts.

"A detailed forensic investigation on the PageUp security incident in May this year has concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated," the company says.

Klein & Co., a forensics and consulting firm based in Sydney, reached the conclusion, PageUp says. But PageUp hasn't revealed how attackers were able to infiltrate its systems or what kind of malware they installed. It's also not clear how robust its intrusion detection or logging systems might have been, which could potentially have sped up breach detection as well as mitigation efforts.

Prominent Breach

Many large companies in Australia use PageUp, including Commonwealth Bank, Aldi, Telstra, the ABC, Coles, Australia Post and Officeworks. Many of those companies stopped using PageUp while the company investigated the attack, which somewhat hampered companies' hiring practices (see: HR Service Provider PageUp Discloses Data Breach).

"A detailed forensic investigation on the PageUp security incident in May this year has concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated."—PageUp

PageUp develops a range of cloud-based applications that companies use to screen employees, onboard new workers and manage performance reviews. It also has software for managing contractors, as well as their payrolls and time sheets. PageUp says it has 2 million active monthly users in 90 countries.

PageUp's breach was perhaps the most prominent such incident to occur in Australia this year. Companies that use PageUp's software sent out notices to those who had applied for jobs using the systems. Those emails caused a fair amount of anxiety because of the kinds of data collected from job seekers.

Breach Backlash

PageUp leaned toward the worst-case scenario after the incident became public, in what proved to be an honest but also bullet-biting move that triggered a backlash.

"While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed," PageUp CEO Karen Cariss warned customers in a breach update the company had released on June 12.

The company warned the exposed data may have included names, street addresses, email addresses and phone numbers. It said that those who had successfully gained employment as a result of a job application filed through its systems were at a greater risk. Those individuals may have had their birth dates, nationalities, employment offer details, employment numbers, pre-employment checks and referee details exposed (see: PageUp Breach: Job Winners Hit Hardest).

PageUp also recommended that all users change their passwords. The breach potentially exposed their names, email addresses and authentication credentials. But the passwords were hashed with bcrypt and also salted, which is considered a good practice and makes leaked hashes less vulnerable to password cracking attempts.

'Commendable Transparency'

PageUp bore the brunt of public outrage since its breach affected so many people in Australia that had used its systems.

The company drew praise, however, for its quick response, including from the Australian Cyber Security Center, the Office of the Australian Information Commissioner and IDCare, an organization that helps people recover from ID theft.

PageUp "demonstrated a commendable level of transparency" and quickly engaged with those affected, said Alastair MacGibbon, head of the Australian Cyber Security Center, in a joint statement on June 18.

PageUp notified its customers as well as the ACSC and the OAIC, which enforces the country's data protection regulations. An amendment to Australia's Privacy Act 1988 that went into effect in February requires certain organizations to report data breaches that have a risk of causing serious harm (see: Australia Enacts Mandatory Breach Notification Law).

The law applies to companies and governmental organizations that are covered by the Privacy Act, but excludes from the reporting requirement businesses that have less than 3 million Australian dollars ($2.2 million) in annual revenue. Fines for violating the law range from AU$360,000 for individuals to AU$1.8 million for organizations.

PageUp also disclosed the breach to the U.K. Information Commissioner's Office, which enforces privacy rules, including the EU's General Data Protection Regulation, across the United Kingdom.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.